Saturday, March 12. 2011

The third and last day of CanSecWest 2011 is over. Once again we started with talks at 9:00 AM after a breakfast that was actually better than yesterday's (ask me about eating 8 slices of banana bread). As the official CanSecWest party was yesterday, it was no surprise that only about half of the chairs were occupied for the first talk. Fighting hard to get out of bed, I nearly missed the first talk myself.

Chris Eng and Brandon Creighton of Veracode were first to go up on stage. In the third CanSecWest talk about an Adobe product, they exposed many security issues in ColdFusion web applications. At first they talked about the usual suspects like XSS and SQL injection and what these attacks look like in ColdFusion code. Then they went through a few other issues that are specific to ColdFusion and not existant in other web application frameworks. For me, the funniest part was the incredible amount of variables that are supposed to be server side read-only but still writable by web applications. This has plenty of potential for all sorts of unintedend havoc.

The second talk was about automated pointer analysis by my former co-worker Vincenzo Iozzo and his friend Giovanni Gola. They talked about doing interprocedural pointer analysis with the goal of automatically finding bugs like double-frees. After about five minutes in I got a work-related call that occupied me for the next half an hour. Shortly after I had headed back into the conference room, the fire alarm went off. I already had ReCon 2010 flashbacks but fortunately it turned out to be a false alarm. I can't say I saw a lot about that talk, but I am sure it was good.

The fourth and last talk about an Adobe Product came from Richard Johnson of Sourcefire. He described some of the internals of the Acrobat Reader sandbox, that abstraction layer that was introduced in Acrobat Reader 10 to mitigate the effects of Acrobat Reader exploits. He also talked about some of the potential weaknesses in the sandbox, for example how the networking code and the filesystem code is not properly sandboxed, potentially allowing attackers to send file information over the network.

More work-related issues made me miss much of the talk about fuzzing by Dan Kaminski, Adam Cechetti, and Mike Eddington. From what I saw they set their fuzzers on applications like MS Office, OpenOffice, and Acrobat Reader and tried to draw conclusions about improvements in products security from the number of exploitable crashes (as determined by !exploitable) they got. The talk itself was pretty entertaining but the methodology they used to draw the conclusions did not always seem to be solid. Several people asked very good question during the discussion after the talk. In the end, the speakers made their raw fuzzing results data available to everyone in the form of a SQL dump.

I did not see any more talks today as I had seen the Microsoft talk about fuzzing last week at Microsoft already. I also skipped the last talk because I really don't care enough about fuzzers to see another one of these talks.

So, that is the end of CanSecWest. The line-up this year was pretty fantastic and most of the usual suspects were there. As usual many people are heading up to Whistler again this evening for the post-conference party weekend. Not me, though. Having done this in the last two years already, I actually want to see more of Vancouver now.

Friday, March 11. 2011

Alright, I am back from day 2 of CanSecWest. Even though we started right at 9:00 AM today, surprisingly many people made it to the conference room at the Sheraton Wall Centre on time. I am detecting disturbing lacks of party dedication there. Or maybe all these people were just like me hoping for a free breakfast. Unfortunately, the free food provided by the hotel gets worse from year to year. Anyway, let's take a quick look at the talks today as the line-up was amazingly strong today.

The day started off with a talk about malware on gaming consoles and mobile devices by DongJoong Ha and KiChan Ahn. They talked about what kind of network attacks are possible by owning some kind of always-connected gaming consoles. They also showed how malicious code can be injected in pirated software to build up botnet capabilities with the help of people that really, really need to get the latest Super Mario game for free. I really enjoyed the talk even though they did not really present new ideas. Rather, they ported known techniques from older devices to game consoles. Still, you can never be wrong talking about game consoles in front of a crowd of nerds.

The second talk was called Dynamic Cryptographic Trapdoors by Eric Filiol. That was the only talk I skipped. Eric is a pretty smart guy and when he talks about cryptography it will fry my brain. I did not need this again. Rather, I went outside to hack away for an hour on my Flash RE tools.

After Eric's talk I went back inside to see Haifei Li's talk about ActionScript 3 vulnerabilities in Flash. He focused on type confusion in the ActionScript virtual machine caused by mismatches between what the ActionScript code verifier verifies and what the ActionScript JIT compiler compiles and executes. Due to my day job I have seen exactly that kind of bug roughly a million times already. Still, Haifei's talk was interesting and it is good to see what kind of work other people do on Adobe stuff.

After lunch (my food quality complaint still applies), Andrea Barisani and Daniele Bianco of Inversepath talked about Chip & PIN cards which are very popular in Europe. The talked a bit about the Chip & PIN standard, its weaknesses, and potential attack vectors. They also brought some surprisingly small skimming devices to show to the audience. Even though this is not my kind of topic, the talk was the most interesting talk of the day. As part of their presentation, Andrea and Daniele produced a short movie that can only be described as legendary. I have already asked them to upload the video to YouTube but unfortunately they did not warm up to that idea.

The next talk was by Ilja van Sprundel. Oh no, wait. When it was time for Ilja's talk he was not to be found anywhere. Instead, Graeme Neilson went on stage to give his talk first. Graeme talked about different network devices like switches and how to install rootkits on them. As part of his research he took a look at 10 devices from different vendors like Cisco, Juniper, Checkpoint, and others. He then gave three live demos of how fast he can put his own code onto those devices because of lacking code integrity checks by the network devices.

Afterwards it was finally Ilja's time on stage. Unlike the other speakers, he was not content with water. If the man wants beer, the man gets beer. He talked about iPhone security issues but unlike many other researchers he did not focus on iOS but rather on security vulnerabilities on the application level and the iPhone standard library. Stuff like cross-site scripting in default HTML components, format string vulnerabilities, or the misuse of the C-string functions. Unfortunately, Ilja was confused and surprised by the order and content of his own slides once in a while (see photo).

Then it was time for Michael Ossmann to give his talk about Bluetooth hacking. I do not know anything about Bluetooth or hardware hacking in general, so I can not comment on the content of the presentation. However, his slide set design was one of the best I have ever seen at a security conference and his speaking style was very pleasant too. The audience seemed entertained.

The last talk of the day belonged to Marc Schoenefeld. It was a talk about finding font parser bugs with his fuzzer. Most of the time when someone speaks about his awesome fuzzer at a con, he will not talk about the exploitable bugs he has found with it (because he has not found any). Marc did the opposite. He described bug after bug he found in the font parsing engines of the major browsers and operating systems. I have never seen anybody give his talk as tiefenentspannt as he did. It was great. I can only come up with one word to summarize his talk: Telephone.

And now I am off to the Tron-themed conference party!

Random observations of the day:

- Apple and Blackberry tried to game the Pwn2Own rules by releasing OS updates for their devices only days before the contest. Then they sent their biggest nitpickers to the Pwn2Own people to make sure that new OS version was used in the contest. This caused endless delays and much eye-rolling in the audience. All crocodile tears proved useless in the end and both the Blackberry phone and the iPhone fell as usual. No surprises there. More investment in security and less investment in Lincoln-Douglas courses might have helped.- Google apparently does not have a single PR person here. Why bother if your browser always survives Pwn2Own?- This is the first conference ever I am attending where my presence has literally no purpose. I am not giving a talk. I am not trying to connect with anyone. I am not giving product pitches or demos. I feel like I am a bum loitering around there.- Did I mention the food quality already?

Thursday, March 10. 2011

It's CanSecWest time again. How do I know? This morning I woke up in a hotel room and when I looked outside it was pouring cats and dogs. Usually when I wake up in a hotel room it is in a warm and sunny place. Anyway, once again about 400 (I guess) people interested in computer security gathered in the Sheraton Wall Centre in Vancouver, Canada to meet with friends, listen to amazing talks and make fun of HBGary.

The conference started off very unusual. The agenda was on time. That's quite a change compared to the last few years. Admittedly, the organizers moved the first talk to noon this year to make sure that everybody manages to recover from yesterday's conference dinner and karaoke bar. I had arrived early, at around 8 hoping to score some free breakfast which unfortunately did not happen today. I used the four hours to chat with old friends, some of which I was very surprised to meet here.

At noon the talks started. The first talk was by Brad Woodberg of Juniper. He talked about network application level firewalls. Admittedly I know absolutely nothing about application firewalls, so I can not comment on the content of the talk. He is a pretty decent public speaker though. I enjoyed the talk.

The second talk was by Aaron Portnoy and Logan Brown of Hewlett-Packard. They talked about their blackbox reverse engineering approach to the Adobe Shockwave player. They described what they did to triage crashes in fuzzed Shockwave files having no knowledge at all about the Shockwave file format. Using binary instrumentation and a combination of WinDbg and Python, they described how they were able to figure out the custom memory allocator of Shockwave and other important Shockwave internals. At 90 minutes, the talk was unusually long for CanSecWest but worth every minute. They have also promised to make their tools available if people are interested. I will definitely follow up with them to make that happen.

After this talk we had a lunch break and then Pwn2Own began. For the third year in a row, I ventured up to the Pwn2Own room to see what's going on. As usual, this is what happened: Some guy sat down on a computer, pressed a few buttons on the computer, and then the Hewlett-Packard people declared him a winner and there was a round of applause. That's it. You don't get to see more if you are in the audience. If you have never been there and think the whole contest is more amazing, I am sorry to disappoint there. I only stayed for the Apple Safari ownage.

The next talk I saw was about runtime firmware integrity checking by Yves-Alexis Perez and Loic Duflot. This was a continuation of their talk they gave at CanSecWest last year but this time they focused on the defensive side of firmware attacks. Unfortunately both are not very good at public speaking. I left halfway through the talk to work on some things and talk to people outside the conference room.

Alright, now I am heading out to the conference party. The second day of CanSecWest unfortunately starts at 9:00 in the morning.

Random observations of the first day:

Of all the vendor booths, Google was by far the most popular one. It was packed with people stopping the whole day. Only Amazon managed to keep up with them. Maybe it's because both companies gave away really quirky swag and their booths were staffed by people who looked like engineers. The opposite happened at the Rapid7 booth which was pretty deserted for literally the whole day. That's what you get if you put two suits up there who could not look more like used car salesmen if they tried and you have marketing cards with dollar signs on your table instead of quirky swag.

Alex Sotirov did live reviews of the talks he saw at http://research.phreedom.org/2011/cansecwest/ . I remember how he told me about this idea at PH-Neutral last year but I never thought he would actually ever start doing it.

Google Chrome survived the first day of Pwn2Own, much to my dismay.

Wednesday, March 2. 2011

During the last year I have implemented quite a few file format parsers for a variety of reverse engineering tools, some in the context of malware detection and others in the context of vulnerability analysis. I wrote file parsers for complex modern file formats like SWF and PDF and for obscure file formats that are older than I and some that are nearly as old as my parents! In total I have written file format parsers for probably around 15 file formats and I have made some observations about the whole process I would like to share.Continue reading "Writing file format parsers for reverse engineering tools: Insights from someone who does it too often"